| Author |
 Topic  |
|
|
geneseewaterways
Starting Member
USA
1 Posts |
 Posted - October 26 2009 : 13:51:31
|
| Recently recovered from a SQL injection. Check the update patches and we were up to date. Is there a known back door that allows this to happen and is there a patch coming to fix it or is there anything I can do to close the security hole? |
|
|
support
Administrator
4679 Posts |
Posted - October 26 2009 : 15:26:30
|
Hi there,
You should also check any custom coding to ensure all database calls are cleansed.
VPASP is as far as we know completely secure so if you have installed all patches then the culprit can only be custom coding.
Depending on what method of entry the hackers are using you may also want to look for any suspicious files on the server as well.
Hope this helps.
Thanks
Cam
VPASP Support
|
 |
|
|
Steve2507
VP-CART Expert
590 Posts |
Posted - October 26 2009 : 15:48:25
|
Good advice Cam.
Just to clarify,when you say "cleanse" do you mean something like this:
categoryid=cleanchars(Request("id"))
Steve
Sex toys from a UK sex shop including vibrators and dildos. |
|
|
|
support
Administrator
4679 Posts |
Posted - October 27 2009 : 06:01:10
|
Hello Steve,
Yes you are correct. Simply add cleanchars() and it should cleanse the request.
Regards,
Frank
VP-ASP Support |
|
|
|
dreamcatchers
Starting Member
USA
15 Posts |
Posted - January 04 2010 : 02:42:52
|
I paid VPASP to upgrade my site to V6.5 I recently have been getting numerous SQL injection attacks.
The source of the problem it turned out to be helpdesp software from ihelpdesk21. Now called Quadrcore. THey have many custom sql commands which resulted in SQL in jection in Customer, Products, Reviews, Content, and most Helpdesk tables.
With the help of VPASP support I am getting the database cleaned up and have deleted the Helpdesk software.
***** NOTE *****
Adding un-proven tools such as ihelpdesk to your ecommerce system may result in the destruction of your we site and loss of many customers.
Ramon Smitherman |
Edited by - dreamcatchers on January 21 2010 17:50:11 |
|
|
|
support
Administrator
4679 Posts |
Posted - January 04 2010 : 03:28:48
|
Hi Ramon,
The software itself is secure. If you have custom code though there is a good chance this is not secure as it needs to be written in such a way as to ensure injections cannot be made.
You also need to ensure that you have the latest security patches applied.
If you want us to have a look for you please submit a ticket in our online helpdesk at:
https://helpdesk.vpasp.com
Thanks
Cam
VPASP Support |
|
|
|
devshb
Senior Member
United Kingdom
1904 Posts |
Posted - January 04 2010 : 03:30:32
|
your best bet would be to firstly make sure you're fully patched, and then if you still get injected look at the raw log files (or run mcafee site-checker) to see how they're getting in. Chances are it's via an unpatched file or a customisation.
You can't stop people from trying to attack the site, but by using patches and safe customisations it should stop attackers from being able to inject anything.
Keeping up to date with patches is probably the most critical point.
Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons |
|
|
| |
Topic |
|
All Forums
SQL Injection
New Topic
Printer Friendly
TrustGuard - PCI Security Scanner
